In many enterprises, after-hour user and/or employee activity commonly poses challenges. As used herein, “after-hour” activity refers to activities carried out by a user and/or employee of the enterprise prior or subsequent to the user's normal or regular hours associated with an enterprise role. Such activity might be observed when, for instance, a user's account is compromised by an attacker through various means (social engineering, breach of an authentication server, compromise of another external account, etc.) or the user's machine is infected with malware. Once a user's credentials or machines are compromised, the attacker has a multitude of attack vectors at his or her disposal, including using the compromised credentials to access other resources within the enterprise, installing a back-door from a compromised machine to an external command-and-control center, etc. These avenues of attacks can additionally induce user activity (for example, network traffic or authentication requests) at times of the day that differ from that of the associated user's regular working hours.
Further, in a (globally) distributed enterprise, users are located in different locations and likely have different job functions that induce different patterns of work activity (for example, IT administrators might work night shifts, while consultants may travel to many destinations and have irregular working hours). Consequently, existing user modeling approaches that include inferring a user's working hours based on the user's location (for example, assume working hours are 8 am-5 pm in the local time zone) routinely produce inaccurate results. Additionally, existing modeling approaches that include installation of agents on all end-point devices in the enterprise so as to upload users' login and log-off timestamps to a centralized location are expensive to deploy and commonly require changes to practices employed by most organizations.
Accordingly, a need exists for techniques to build a model of user activity within an enterprise setting and detect suspicious after-hour activity based on such a model.